<div dir="ltr">Hi Jon,<div><br></div><div>Instead configuring zeek to say these are likely to be server ports.</div><div>What would happen if we introduce a check for source port as well with the destination port?</div><div>Did you consider this approach?</div><div><br></div><div>Thanks and Regards,</div><div>Nabil</div><div>Phone: +91 81477 17034</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 7, 2020 at 2:41 PM Nabil Memon <<a href="mailto:nabilmemon.ec@gmail.com">nabilmemon.ec@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Awesome, thanks! <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 7, 2020 at 3:35 AM Jon Siwek <<a href="mailto:jsiwek@corelight.com" target="_blank">jsiwek@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sat, Apr 4, 2020 at 9:55 PM Nabil Memon <<a href="mailto:nabilmemon.ec@gmail.com" target="_blank">nabilmemon.ec@gmail.com</a>> wrote:<br>
<br>
> Is there any way I can extract UDP contents from both request(no problem extracting request content) and response without adding ports in "likely_server_ports" list??<br>
<br>
Think modifying "likely_server_ports" is the right approach here.<br>
<br>
> Even when I am adding those ports in the list, I don't get the event.<br>
<br>
Yeah, that looks like a bit of a deficiency in how UDP contents<br>
generally works for those "content delivery ports" tables: it's just<br>
tracking the exact "destination port" per UDP packet, so I'm<br>
suggesting to add an additional option to instead track according to<br>
the Connection's "responder" port. That will also correctly track any<br>
role flipping that occurs from the "likely server ports" logic. The<br>
PR for this is here:<br>
<br>
<a href="https://github.com/zeek/zeek/pull/900" rel="noreferrer" target="_blank">https://github.com/zeek/zeek/pull/900</a><br>
<br>
- Jon<br>
</blockquote></div>
</blockquote></div>